#1  
Old 15th November 2011, 03:48
heinkonijn heinkonijn is offline
Junior Member
 
Join Date: Nov 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Bug in freeradius 2?

I ran into an issue with freeradius 2 and LDAP (eDirectory) groups.

Authentication is working properly, just not reading the group memberships.

I have this rule in /etc/raddb/users

DEFAULT LDAP-Group!="cn=remote,ou=Groups,o=ABC", Auth-Type:=Reject
Reply-Message="You are not allowed to connect"

When I do a LDAP trace on the LDAP server I get this:

15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended on connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.13
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) Sending operation result 0:"":"" to connection 0xca20780
15:08:47 90490BA0 LDAP: (10.48.5.240:39601)(0x0002:0x63) Activating pending operation 0x2:0x63 on connection 0xccf1780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) DoSearch on connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Search request:
base: "ou=USERS,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(uid=user)"
attribute: "dn"
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) DoSearch on connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Search request:
base: "cn=remote,ou=Groups,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(|(&(objectClass=GroupOfNames)(member=))(&(ob ject Class=GroupOfUniqueNames)(uniquemember=)))"
attribute: "dn"
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) DoSearch on connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) Search request:

So freeradius thinks the user is not a member.


I have found what the issue is.

There is a filter in modules/ldap wich says this:
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"

But it looks like the variable %{Ldap-UserDn} just doesn't work...
I reworked the filter a bit to this:
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=cn=%{User-Name},ou=users,o=ABC))"

This is working now, but only for one container, fortunately all the users who use RADIUS are in this container, so it's OK for now, but it's not the best solution.

Any suggestions about this?
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freeradius and Mysql uvstudios HOWTO-Related Questions 4 19th February 2014 12:11
Freeradius configure issue SaFi2266 HOWTO-Related Questions 5 24th July 2011 07:32
Step 11 Error:rpmbuild -ba postfix.spec tgxg00 Installation/Configuration 7 22nd April 2009 15:16
Chillispot login failed - Freeradius sql error? mrcs9 HOWTO-Related Questions 0 30th November 2008 20:02
Configure the SSH Gateway + Wiki-D mchuahan Server Operation 3 1st April 2008 10:10


All times are GMT +2. The time now is 03:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.